Global cyber attack could result in £40 billion of losses to business, say Lloyd’s of London

A major, global cyber attack could trigger an average of £40bn in economic losses, Lloyd’s of London says in a report, co-written with risk-modeling firm Cyence. The report examines potential losses from the hypothetical hacking of a cloud service provider and cyber attacks on computer operating systems run by businesses worldwide.

Insurers are struggling to measure their potential exposure to cyber-related losses amid mounting cyber risks and interest in cyber insurance (Lloyd’s is estimated to have a 22.5% share of the £1.9bn cyber insurance market). A lack of historical data on which insurers can base assumptions is a key challenge. “Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event,” Lloyd’s of London chief executive Inga Beale told Reuters.

Economic costs in the hypothetical cloud provider attack dwarf the £6bn global cost of the ‘WannaCry’ ransomware attack in May, which spread to more than 100 countries, according to Cyence. The Lloyd’s report follows a US Government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors.

In June, an attack of a virus dubbed ‘NotPetya’ spread from infections in Ukraine to businesses around the globe. It encrypted data on infected machines, rendering them inoperable and disrupted activity at ports, law firms and factories, causing £650m in economic losses.

In the hypothetical cloud service attack in the Lloyd’s-Cyence scenario, hackers inserted malicious code into a cloud provider’s software that was designed to trigger system crashes among users a year later. By then, the malware would have spread among the provider’s customers, from financial services companies to hotels, causing all to lose income and incur other expenses.

Average economic losses caused by such a disruption could range from £3.5bn to £40bn billion for large to extreme events. But actual losses could be as high as £92bn, the report said. As much as $45 billion of that sum may not be covered by cyber policies due to companies under-insuring, the report said.